Menu

Newsletter Bergh Stoop & Sanders about the new privacy rules: are you ready for the GDPR?

21.07.2017

Privacy-proof: are you ready for the GDPR?

A proper privacy policy will be key as from May 2018, when the new European privacy regulation (the GDPR) comes into force. Privacy rules will become more stringent, especially for companies engaged in large-scale personal data processing. As data subjects will be given more rights and will be able to call companies to account if they fail to comply with the law, compliance risks will increase. This includes such aspects as the right of information, inspection, removal and the right to be forgotten.
 
Our firm can help you prepare for the new privacy rules. A first step is awareness of the new rules within your organisation. In this newsletter, we will list the most important changes compared to current legislation. A next step is implementing a proper privacy policy that is tailored to your organisation.

What is this about?

On 25 May 2018, the new privacy regulation (the General Data Protection Regulation, also abbreviated as ‘GDPR’) will take effect.

Who?

The GDPR requirements will apply to all EU-based organisations that process personal data. Companies outside the EU offering products in the EU or monitoring the behaviour of European citizens, for example for the purpose of targeted advertising, will also be subject to the Regulation.
 
The rules are stricter for those who are engaged in the large-scale processing of personal data, as is the case for online marketing, for example. The rules are also stricter where sensitive data are being processed (such as medical data or personal data of minors) or where use is made of profiling, for instance to create customer profiles based on online behaviour.

What?

The principles of privacy law will remain unchanged, but a number of obligations will be expanded or modified compared to the current legislation. Digital-era developments are a point of focus, as that is where privacy is the most relevant. A summary of the main changes is provided below:

  • The specific requirements applicable to the Privacy Notice, the right of inspection and the right of rectification are expanded in the GDPR;
  • A clearer documentation requirement is introduced for larger companies or companies that process sensitive data; they will be obliged not only to correctly comply with the GDPR, but also to be able to demonstrate compliance by keeping a register of processing activities;
  • Whoever wishes to process personal data based on the user’s consent must meet stricter conditions and be able to prove that consent was given. Consent must be requested in plain and simple language and be withdrawn as easily as it can be given; this means that consent-based processing is not always the most desirable basis for parties processing
  • data on a large scale;
  • New terms in the Regulation are Privacy by Design and Privacy by Default. Safeguards must be incorporated even when products and services are designed, for example by means of encryption, in order to protect users’ privacy (Privacy by Design). Also, standard measures must be implemented to ensure that no more personal data are being processed than are needed for a specific purpose (Privacy by Default). This means, for example, that the default setting of social media accounts must be ‘private’ rather than ‘public’;
  • Outsourcing will be subject to stricter regulation, as the GDPR imposes specific requirements on the contents of processor agreements;
  • If multiple parties are involved in the processing, each of them will be liable for all of the damage caused by the relevant processing;
  • Companies processing sensitive data or engaged in large-scale processing will be obliged to appoint a Data Protection Officer to monitor compliance with the GDPR and act as a contact for the national authority;
  • Companies outside the EU offering products in the EU or monitoring the behaviour of EU citizens will be obliged to designate a Representative within the EU;
  • More severe requirements will apply to processing security, in both technical and organisational terms; the data leak notification requirement – which has applied in the Netherlands since 2016 – will be harmonised at the European level and a Data Protection Impact Assessment must be conducted in the event of high-risk processing;
  • Transfer to countries outside the EU will be subject to stronger regulation. A special treaty (Privacy Shield) has been created between Europe and the US for this purpose, which has replaced the Safe Harbour Privacy Principles;
  • The authorities are assigned more power to impose penalties; in the most extreme scenario, penalties may run up to € 20,000,000 or 4% of a company’s worldwide turnover.

When?

The GDPR takes effect on 25 May 2018. This means that the GDPR will replace existing national legislation (such as the Personal Data Protection Act in the Netherlands) and the GDPR will have direct effect in the Netherlands as from that date.

How?

We can help you prepare for the GDPR. We perform a compliance check to verify whether your company is privacy-proof, analysing how you are processing personal data and identifying the specific steps needed to be compliant by 25 May 2018. We are also able to answer specific requests for advice, draw up privacy statements and processor agreements, and help you draft an internal privacy policy that complies with the law.

In the autumn of 2017, we will schedule a workshop for clients to discuss the ins and outs of the new privacy rules and share some specific tips.
 
Are you interested? Please send an email to one of our privacy specialists or give them a call:

Berber Brouwer (brouwer@berghstoop.com)
Astrid Sixma  (sixma@berghstoop.com)
Esther Schnepper (schnepper@berghstoop.com)

T: + 31 20 620 22 88 – Bergh Stoop & Sanders Advocaten.